• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Network Associates WebShield SMTP Trailing Period DoS Vulnerability

Severity: MODERATE

Description:

A certain configuration of Network Associates WebShield SMTP is vulnerable to a remote denial of service attack. If WebShield and the mailserver are installed on the same machine and the "Direct Send" option has been enabled in the "Delivery" - "Mail Send" configuration in WebShield, this vulnerability can be exploited by sending an email with a dot character trailing the domain name such as 'user@companyxyz.com.'

In this case, Company XYZ with the domain of companyxyz.com is used as an example. The server running WebShield SMTP at Company XYZ does not recognize that 'user@companyxyz.com.' is equivalent to 'user@companyxyz.com' even though both are Fully Qualified Domain Names (FQDN). Therefore, if a remote user attempts to send an email to 'user@companyxyz.com.' (note the trailing period), WebShield SMTP will not recognize 'companyxyz.com.' as a local domain.

WebShield SMTP will then proceed to look up the MX (mail exchange, enables querying of MX records from a Domain Name Server) record for 'companyxyz.com.' and send itself a copy of the message while adding a 'Received:' line. WebShield SMTP will continue to send itself the email, each time adding a 'Received:' line, indefinitely until either the offending email is manually removed or CPU resources are utilized to such a degree that the application crashes. WebShield will continue this process, even after a reboot, until the offending email is manually removed.

This exploit will only work if a MX record is pointing to the domain.

Affected Products:

• Network Associates WebShield SMTP 4.5.0

References:

• Network Associates Inc.: WebShield SMTP Product Home Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.